| Commit message (Collapse) | Author | Age | Files |
|---|
| |
|
|
| |
Cf. http://www.openspf.org/Best_Practices/Outbound .
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some
downstream SMTP servers, not all of which are under our control.
Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers
yields undeliverable messages, and the bounces make us a potential
backscatter source. So it's better to disable SMTPUTF8 at this point.
Cf. also http://www.postfix.org/SMTPUTF8_README.html and
https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 .
See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 :
“Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the
envelope is definitely problematic for a receiver that does not
support SMTPUTF8, while UTF8 in a message header is less so.”
|
| |
|
|
| |
Cf. lmdb_table(5).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
| |
|
|
| |
That is, on the MSA and in our local infrastructure.
|
| | |
|
| |
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
| |
|
|
|
|
| |
E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone
would be provisioned by ansible, too.) It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.)
|
| |
|
|
|
|
|
| |
It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian
|
|
|
We use a dedicated instance for each role: MDA, MTA out, MX, etc.
|
